Security mavens bracing for Thursday’s scheduled disclosure of a high-severity vulnerability in the widely used OpenSSL crypto library need wait no longer. It’s a bug that allows end users to crash servers running one version of the software by sending data that’s relatively easy to duplicate.
“If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur,” an advisory published Thursday morning stated. “This can be exploited in a DoS attack against the server.”
CVE-2015-0291, as the vulnerability is indexed, struck many people as anticlimactic, given Monday’s advisory that a “high” severity bug would be announced. That triggered concerns of a critical bug along the lines of the highly critical Heartbleed vulnerability that attackers used to extract passwords, private keys, and other confidential data from servers used for banking, shopping, and e-mail. By comparison, Thursday’s DoS bug can be used only to force a vulnerable server to reboot.